i mproved s trongly d eniable a uthenticated k ey e
play

I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S - PowerPoint PPT Presentation

I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger and Ian Goldberg Secure Messaging 2 Secure Messaging All-Verifier Deniable Anonymous Authentication End-to Authentication End Zone


  1. I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger and Ian Goldberg

  2. Secure Messaging 2

  3. Secure Messaging “All-Verifier” Deniable Anonymous Authentication End-to Authentication End Zone (OTR, Signal) Confidentiality TLS to Server Plaintext Authentication 3

  4. Why Deniability? 4

  5. Deniable Messaging Crypto B A Magic <B> there’s a protest about it tomorrow <B> want to go? <A> Yes! <B> ok, no phones 5

  6. Deniable Messaging <B> there’s a protest about it tomorrow <B> want to go? <A> Yes! <B> ok, no phones 6

  7. Deniable Messaging…? A B 7

  8. Offline vs. Online Deniability Offline Online Deniability Deniability Crypto A B Magic A B <B> there’s a protest about it tomorrow <B> want to go? <A> Yes! <B> ok, no phones 8

  9. Deniable Messaging…? ● See Appendix A – Attacks on OTRv3 and Signal ● Also see ia.cr/2018/424: 9

  10. Deniable Messaging A B 10

  11. Deniable Messaging A B 11

  12. In This Paper ● Two new efficient key exchange protocols Interactive Non-interactive 12

  13. Security Properties ● Confidentiality ● Mutual authentication ● Forward secrecy ● Contributiveness ● Offline and online deniability 13

  14. Crypto Toolbox Identity key (long-term asymmetric) Ephemeral key (short-term asymmetric) Shared session key (symmetric) Diffie-Hellman shared secret 14

  15. Crypto Toolbox Signature Create: need private ID Eph. Sym. Verify: need public key key key Diffie-Hellman MAC shared secret Create: need Verify: need Ring signature Create: need one private , , or Verify: need all public , , and 15

  16. Crypto Toolbox ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Ring signature 16

  17. Deniable Authenticated Key Exchanges A B DAKE Secure messaging protocol 17

  18. DAKEZ A B ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Ring signature Shared key ( ): 18

  19. DAKEZ: Authentication Nobody else A B knows or , ID Eph. Sym. so they know key key key Diffie-Hellman shared secret Signature MAC Ring signature Shared key ( ): 19

  20. DAKEZ: Authentication Nobody else A B knows or , ID Eph. Sym. key key key so they know Diffie-Hellman shared secret Signature MAC Ring signature Shared key ( ): 20

  21. DAKEZ: Offline Deniability F F ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Ring signature Shared key ( ): 21

  22. DAKEZ: Online Deniability B A A ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Ring signature Shared key ( ): 22

  23. Mobile? 23

  24. Mobile Use A B “Prekeys” Recipient ID Message Message 24

  25. ZDH A B ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Shared key ( ): Ring signature & 25

  26. ZDH: Authentication A B ID Eph. Sym. key key key Nobody else knows Diffie-Hellman shared secret so any reader must know Signature MAC Shared key ( ): Ring signature & 26

  27. Weak Forward Secrecy (Like Signal, originally) A B (Ciphertext for & ) (Time passes) Collect 27

  28. XZDH A B ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Shared key ( ): Ring signature & & 28

  29. Is This Secure? 29

  30. Is This Secure? “Yes.” 30

  31. OTRv4 Adoption ● External adoption: OTRv4 team 31

  32. Performance SIGMA-R DAKEZ X3DH XZDH 3DH ZDH (OTRv3) (OTRv4) (Signal) (OTRv4) Key Gen. 0.0240 0.0440 0.0228 0.0429 0.0240 0.0444 (ms) Key Exch. 0.3478 1.094 0.4229 0.778 0.5533 0.9217 (ms) ID Key 32 32 32 32 32 32 (bytes) Prekey - - 32 32 32 & 96 32 & 96 (bytes) Key Exch. 272 464 80 304 80 304 (bytes) 32

  33. Extras in the Paper 33

  34. Extras in the Paper A Quantum- Efficient resistant dual-receiver transitional encryption B security Defeating Implementation A “B” key-compromise details & advice impersonation 34

  35. Summary ● New key exchanges: DAKEZ, (X)ZDH ● Secure connection, eponymous, no all-verifier authentication required? Use these! ● Code & data: crysp.org/software/dakez_xzdh ● Come see OTRv4 at HotPETs ● Coming soon: group messaging Thank you! njunger@uwaterloo.ca 35

  36. You’ve Activated My Bonus Slides!!! 36

  37. Limited Online Deniability A B “Prekeys” Recipient ID Auth with , Auth, Msg , Auth, Msg 37

  38. RSDAKE and Spawn ● Standard model Random oracle model � – Obscure assumptions common assumptions � – Seconds milliseconds � – Improved security (contributiveness, forward secrecy) ● RSDAKE DAKEZ � ● Spawn ZDH � 38

  39. DAKE Comparison 39

  40. Signal Deniability 3DH X3DH IK A IK B IK A IK B 1 1 1 1 2 2 EK A EK B EK A SPK B 3 3 4 OTK B 40

  41. Lack of Contributiveness ● Problems with non-contributory: – Can coerce a client to use a known secret – Can use a secret known to a third-party, allowing them to decrypt without their consent ● Non-problems with non-contributory: – Contributiveness does not prevent desirable bits – Contributiveness does not defend against weak PRNGs 41

  42. ZDH A B ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Shared key ( ): Ring signature & 42

  43. ZDH: Authentication Nobody else knows A B or , so they know . ID Eph. Sym. key key key They also know Diffie-Hellman shared secret Signature MAC Shared key ( ): Ring signature & 43

  44. Mitigating KCI Attacks A B ID Eph. Sym. key key key Diffie-Hellman shared secret Signature MAC Ring signature Shared key ( ): 44

  45. Online Deniability Attack for Signal ● (Alice is coerced by Judson) ● Alice downloads Bob’s prekey: IK B , SPK B , Sig(IK B , Encode(SPK B )) ● Judson generates key pair with public EK A ● Alice provably reveals DH(IK A , SPK A ) ● Alice sends EK A to Bob ● Judson can compute the secret, Alice cannot 45

  46. Quantum Transitional Security ● Authenticate quantum KEM, like CECPK1 46

  47. DAKEZ 47

  48. ZDH & XZDH 48

Recommend


More recommend